IoT

Security threat at DJI discovered

Cybersecurity professionals have warned that the personal data of DJI users, the world’s largest commercial drone engineer and manufacturer based in China, could be compromised as a result of a security flaw discovered in its software.

Headquartered in Shenzhen, DJI is most famous for its drones used specifically for photography and video capabilities, and has recently begun to expand into providing corporate solutions.

In this particular instance, however, the information collected by the drones and its frequent flying patterns was at risk of being accessed by hackers and cyber criminals.

Although DJI have claimed that the bug has now been fixed, which was also confirmed by California-headquartered security business Check Point, the exposure of the flaw to the media may refresh debates in the USA regarding the use of Chinese-manufactured products – specifically drones – in their security departments.

The argument has reignited after the US government cautioned against the use of Huawei and ZTE telecommunication products across the country. Further, the US Army banned the use of DJU drones in August 2017 after finding a number of vulnerabilities in the system that threatened the security of classified internal research.

Earlier this year, Check Point’s investigation of DJI’s software infrastructure revealed that its authentication protocols made it easy for potential hackers to façade users to infiltrate the systems to look and steal data. Such information encompassed photos, videos, flight paths and GPS coordinates.

Researchers have pointed to the theft of tokens – a function that allows users to access multiple applications on a single platform – as the reason for stolen information. The security flaw with this technical feature has appeared for a number of other companies as well.

Check Point’s head of products vulnerability research, Oded Vanunu, said: “We are seeing over the past two years that malicious actors are exploiting tokens, for example in a Facebook incident last month involving the theft of tokens,” noting that the investigations have been carried out on their own initiative after numerous statements were released by the US Army regarding potential security flaws.

In response, DJI have taken into consideration Check Point’s analysis but have termed it a high-risk low-probability situation. A spokesperson for the company said the “vulnerability required a complicated set of preconditions to be successfully exploited: The user would have to be logged into their DJI account while clicking on a specially-planted malicious link in the DJI Forum.”

Check Point noted that DJI took six months to correct the bug – twice as long as it ought to have spent dealing with the issue, according to Vanunu. Despite this, the company thanked Check Point for bring to light the security flaw.

Mario Rebello, DJI’s VP and country manager for North America, said: "All technology companies understand that bolstering cybersecurity is a continual process that never ends. Protecting the integrity of our users’ information is a top priority for DJI.”